fix(graph, node): add option to authenticate Flight service requests

isum · isum · commit a9fa04911bf8 · 2025-11-20T19:33:19.000-03:00
diff --git a/graph/src/amp/client/flight_client.rs b/graph/src/amp/client/flight_client.rs
@@ -33,6 +33,7 @@ use crate::{
 /// using the Apache Arrow Flight protocol.
 pub struct FlightClient {
     channel: Channel,
+    auth_token: Option<String>,
 }
 
 impl FlightClient {
@@ -56,16 +57,27 @@ impl FlightClient {
 
         Ok(Self {
             channel: endpoint.connect().await.map_err(Error::Connection)?,
+            auth_token: None,
         })
     }
 
+    /// Sets the authentication token for requests to the Amp server.
+    pub fn set_auth_token(&mut self, auth_token: impl Into<String>) {
+        self.auth_token = Some(auth_token.into());
+    }
+
     fn raw_client(&self) -> FlightSqlServiceClient<Channel> {
         let channel = self.channel.cheap_clone();
         let client = FlightServiceClient::new(channel)
             .max_encoding_message_size(256 * 1024 * 1024)
             .max_decoding_message_size(256 * 1024 * 1024);
 
-        FlightSqlServiceClient::new_from_inner(client)
+        let mut client = FlightSqlServiceClient::new_from_inner(client);
+        if let Some(auth_token) = &self.auth_token {
+            client.set_token(auth_token.clone());
+        }
+
+        client
     }
 }
 
diff --git a/graph/src/env/amp.rs b/graph/src/env/amp.rs
@@ -24,6 +24,11 @@ pub struct AmpEnv {
     ///
     /// Defaults to `600` seconds.
     pub query_retry_max_delay: Duration,
+
+    /// Token used to authenticate Amp Flight gRPC service requests.
+    ///
+    /// Defaults to `None`.
+    pub flight_service_token: Option<String>,
 }
 
 impl AmpEnv {
@@ -60,6 +65,12 @@ impl AmpEnv {
                 .amp_query_retry_max_delay_seconds
                 .map(Duration::from_secs)
                 .unwrap_or(Self::DEFAULT_QUERY_RETRY_MAX_DELAY),
+            flight_service_token: raw_env.amp_flight_service_token.as_ref().and_then(|value| {
+                if value.is_empty() {
+                    return None;
+                }
+                Some(value.to_string())
+            }),
         }
     }
 }
diff --git a/graph/src/env/mod.rs b/graph/src/env/mod.rs
@@ -561,6 +561,8 @@ struct Inner {
     amp_query_retry_min_delay_seconds: Option<u64>,
     #[envconfig(from = "GRAPH_AMP_QUERY_RETRY_MAX_DELAY_SECONDS")]
     amp_query_retry_max_delay_seconds: Option<u64>,
+    #[envconfig(from = "GRAPH_AMP_FLIGHT_SERVICE_TOKEN")]
+    amp_flight_service_token: Option<String>,
 }
 
 #[derive(Clone, Debug)]
diff --git a/node/src/main.rs b/node/src/main.rs
@@ -385,12 +385,15 @@ async fn main_inner() {
                     .parse()
                     .expect("Invalid Amp Flight service address");
 
-                let amp_client = Arc::new(
-                    amp::FlightClient::new(addr)
-                        .await
-                        .expect("Failed to connect to Amp Flight service"),
-                );
+                let mut amp_client = amp::FlightClient::new(addr)
+                    .await
+                    .expect("Failed to connect to Amp Flight service");
+
+                if let Some(auth_token) = &env_vars.amp.flight_service_token {
+                    amp_client.set_auth_token(auth_token);
+                }
 
+                let amp_client = Arc::new(amp_client);
                 let amp_instance_manager = graph_core::amp_subgraph::Manager::new(
                     &logger_factory,
                     metrics_registry.cheap_clone(),
diff --git a/node/src/manager/commands/run.rs b/node/src/manager/commands/run.rs
@@ -156,12 +156,15 @@ pub async fn run(
                 .parse()
                 .expect("Invalid Amp Flight service address");
 
-            let amp_client = Arc::new(
-                amp::FlightClient::new(addr)
-                    .await
-                    .expect("Failed to connect to Amp Flight service"),
-            );
+            let mut amp_client = amp::FlightClient::new(addr)
+                .await
+                .expect("Failed to connect to Amp Flight service");
+
+            if let Some(auth_token) = &env_vars.amp.flight_service_token {
+                amp_client.set_auth_token(auth_token);
+            }
 
+            let amp_client = Arc::new(amp_client);
             let amp_instance_manager = graph_core::amp_subgraph::Manager::new(
                 &logger_factory,
                 metrics_registry.cheap_clone(),

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,11 @@ pub struct AmpEnv {`
`24`	`24`	`///`
`25`	`25`	/// Defaults to `600` seconds.
`26`	`26`	`pub query_retry_max_delay: Duration,`
	`27`	`+`
	`28`	`+ /// Token used to authenticate Amp Flight gRPC service requests.`
	`29`	`+ ///`
	`30`	+ /// Defaults to `None`.
	`31`	`+ pub flight_service_token: Option<String>,`
`27`	`32`	`}`
`28`	`33`
`29`	`34`	`impl AmpEnv {`
`@@ -60,6 +65,12 @@ impl AmpEnv {`
`60`	`65`	`.amp_query_retry_max_delay_seconds`
`61`	`66`	`.map(Duration::from_secs)`
`62`	`67`	`.unwrap_or(Self::DEFAULT_QUERY_RETRY_MAX_DELAY),`
	`68`	`+ flight_service_token: raw_env.amp_flight_service_token.as_ref().and_then(\|value\| {`
	`69`	`+ if value.is_empty() {`
	`70`	`+ return None;`
	`71`	`+ }`
	`72`	`+ Some(value.to_string())`
	`73`	`+ }),`
`63`	`74`	`}`
`64`	`75`	`}`
`65`	`76`	`}`
Original file line number	Diff line number	Diff line change
`@@ -561,6 +561,8 @@ struct Inner {`
`561`	`561`	`amp_query_retry_min_delay_seconds: Option<u64>,`
`562`	`562`	`#[envconfig(from = "GRAPH_AMP_QUERY_RETRY_MAX_DELAY_SECONDS")]`
`563`	`563`	`amp_query_retry_max_delay_seconds: Option<u64>,`
	`564`	`+ #[envconfig(from = "GRAPH_AMP_FLIGHT_SERVICE_TOKEN")]`
	`565`	`+ amp_flight_service_token: Option<String>,`
`564`	`566`	`}`
`565`	`567`
`566`	`568`	`#[derive(Clone, Debug)]`